[12510] in bugtraq
flaw in dmesg under Solaris
daemon@ATHENA.MIT.EDU (echo8)
Wed Nov 10 12:45:35 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.9911091316010.17012-100000@hobbiton.org>
Date: Tue, 9 Nov 1999 13:22:01 -0600
Reply-To: echo8 <echo8@HOBBITON.ORG>
From: echo8 <echo8@HOBBITON.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Under all versions of Solaris prior to 2.7, and under 2.7 prior to patch
106541-07, /usr/sbin/dmesg, when called with the "-" argument, creates
/var/adm/msgbuf owned and writeable by the user who ran the utility, assuming
that the file didn't already exist (it won't until someone runs dmesg -). Once
the file exists, "dmesg -" will not work properly for any other user, and the
file remains, onwed by the user who called the utility.
Under Solaris 2.7, patch 106541-07 addresses the problem by replacing
/usr/sbin/dmesg with a shell script which breaks the functionality of the "-"
argument entirely.
Obviously, Sun is aware of the problem, but I spoke to them on 9/21/99 to
open a service order and get a bugid assigned. I've heard nothing since
then.
